This configuration demonstrates how to connect a VPN Client to a PIX
firewall with the use of wildcards and the sysopt connection
permit-ipsec and sysopt ipsec
pl-compatible commands. This document also covers the
nat 0 access-list command.

Note: Encryption technology is subject to export controls. It is your
responsibility to know the law related to the export of encryption technology.
If you have any questions related to export control, send an E-mail to
export@cisco.com.

The information in this document is based on these software and
hardware versions.

Cisco Secure PIX Software release 5.0.3 with Cisco Secure VPN Client
1.0 (shown as 2.0.7 in the Help > About menu) or Cisco Secure PIX Software
release 6.2.1 with Cisco Secure VPN Client 1.1 (shown as 2.1.12 in the Help
> About menu).

Internet machines access the web host on the inside with the IP
address 192.68.0.50.

The VPN Client accesses all machines on the inside with the use of
all ports (10.1.1.0 /24 and 10.2.2.0 /24).

The information presented in this document was created from devices in
a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If you work in a live network, ensure
that you understand the potential impact of any command before you use
it.

On the PIX, the access-list and
nat 0 commands work together. The nat
0access-list command is intended to
be used instead of the sysopt ipsec pl-compatible
command. If you use the nat 0 command with the
matching access-list command, you have to know the
IP address of the client that makes the VPN connection in order to create the
matching access control list (ACL) to bypass the NAT.

Note: The sysopt ipsec pl-compatible command
scales better than the nat 0 command with the
matching access-list command ir order to bypass
Network Address Translation (NAT). The reason is because you do not need to
know the IP address of the clients that make the connection. The
interchangeable commands are bold in the configuration in this document.

A user with a VPN Client connects and receives an IP address from their
Internet service provider (ISP). The user has access to everything on the
inside of the firewall. This includes networks. Also, users who do not run the
client can connect to the web server with the use of the address provided by
the static assignment. Users on the inside can connect to the Internet. It is
not necessary for their traffic to go through the IPSec tunnel.

Follow these steps to configure the policy for the VPN Client IPSec
connection.

On the Remote Party Identity and Addressing tab, define the private
network you want to be able to reach with the use of the VPN Client. Next,
select Connect using Secure Gateway Tunnel and define the
outside IP address of the PIX.

Select My Identity and leave the setting to the
default. Next, click the Pre-Shared Key
button.

Enter the Pre-shared Key that is configured on the PIX.

Configure the Authentication proposal (Phase 1 policy).

Configure the IPSec proposal (Phase 2 policy).

Note: Do not forget to save the policy when you are finished. Open up a DOS
window and ping a known host on the inside network of the PIX in order to
initiate the tunnel from the client. You receive an Internet Control Message
Protocol (ICMP) unreachable message from the first ping as it tries to
negotiate the tunnel.